After extensive testing of 10 advanced endpoint protection products, we have identified a series of broad industry trends:
1. Virus signatures are passé. Creating a virus with a unique signature is child’s play, thanks to the nearly automated virus construction kits that have filled the internet over the past several years. Instead, many of today’s advanced endpoint protection products make use of security news feeds that report on the latest attacks such as VirusTotal.com and other reputation management services. Some, like CrowdStrike, have a long list of integrations with security and log management tools to make them more effective at spotting attack trends.
2. Tracking executable programs is so last year. In the old days of malware, exploits typically had some kind of payload or residue that they left on an endpoint: a file, a registry key or whatnot. Then the bad guys graduated to run their business just in memory, leaving little trace of their activity, or they would hide inside PDFs or Word documents, or would force your Web browser to a phished site that contained Java-based exploits.
Today’s hackers have become more sophisticated, using Windows Powershell commands to set up a remote command shell, pass a few text commands, and compromise a machine without leaving much of a trace on an endpoint. To be effective at fighting this new kind of behavior, today’s products look at what effect the attacker has on the endpoint: does it drop any files, including what may seem at first benign text files, or make any changes to the Windows Registry? Figuring this out isn’t easy and many of the products are focused in this area to prevent the bad guys from gaining control over your computers.
3. Can the product track privilege escalation or other credential spoofing? Modern attackers try to penetrate your network with a legit user credential that uses a default setting from when you installed SQL Server or some other product, and then escalates to a domain administrator or other more significant user with greater network rights.
4. Insider threats are more pernicious, and blocking them has become more compelling. One of the reasons why traditional anti-virus protection has failed is because attackers can gain access to your internal network and do damage from a formerly trusted endpoint. To block this kind of behavior, today’s tools need to map the internal or lateral network movement so you can track down what PCs were compromised and neutralize them before your entire network falls into the wrong hands.
5. Data exfiltration is more popular than ever. Moving private user data, or confidential customer information, out of your network is the name of the game today. Look no further than Sony or Target as examples of what the EDR tool has to deal with now. Tools that can track these exfiltrations are more useful.
6. Many tools are using big data and cloud-based analytics to track actual network behavior. One of the reasons why sensors and agents are so compact is that most of the heavy lifting happens in the cloud, where they can bring to bear big data techniques and data visualization to identify and block a potential attack. SentinelOne and Outlier Security use these techniques to correlate data across your network in real time.
7. Attack reporting standards like CEF, STIX, and OpenIOC are also being integrated into today’s endpoint products. SentinelOne is an example.This is a welcome development and hopefully more products will move in this direction.
This story, "7 trends in advanced endpoint protection" was originally published by Network World.
Nvidia's new 3GB version of the GeForce GTX 1060 goes toe-to-toe with the $200 Radeon RX 480—in theory.
The new Moto Z Droid and Moto Z Droid Force are now available from Verizon and Motorola. They’re some...
Apple has to out-execute itself (and its rivals) every year to coerce millions of users to upgrade and...
Sponsored by Centrify
Sponsored by Connection
Information Service Group’s purchase of competitor Alsbridge creates a larger, more well-rounded...
There will still be plenty of work to go around so job prospects should remain good, especially for...
In a move designed to help customers be more agile, Accenture is expanding its Accenture AWS Business...
Want to support diversity in the workplace and help girls, women, people of color and the LGBTQ...